Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0545: Detection Strategy for Cloud Administration Command

DET0545 is a detection strategy object for spotting abuse of cloud administration commands. Its business significance comes from the related ATT&CK techniq...

EnterpriseDET0545Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0545 is a detection strategy object for spotting abuse of cloud administration commands. Its business significance comes from the related ATT&CK technique, Cloud Administration Command, where administrative cloud services can be used to run scripts inside virtual machines through cloud management agents. For leaders, this is a control-plane-to-workload execution risk: if cloud administrative access is misused, the activity may look like normal operations unless identity, cloud audit, and host telemetry are connected.

Executive priority

Prioritize this as a cloud security and incident response readiness issue rather than only a malware detection problem. The key executive question is whether the organization can prove who invoked remote cloud administration commands, on which virtual machines, for what operational purpose, and whether the resulting workload activity was expected. This matters for business continuity, privileged access governance, audit evidence, and SOC triage because legitimate administration channels can become high-impact execution paths when administrative cloud access is compromised or misused.

Technical view

The supplied detection strategy has no official description or detection logic, so validation should be anchored to the relationship with T1651: Cloud Administration Command, an enterprise execution technique on IaaS platforms. SOC and detection teams should confirm visibility into cloud management service invocations such as remote command or runbook-style actions, the identity and permissions used, the target virtual machines, and the resulting in-guest process or script activity where available. Detection engineering should focus on correlating cloud control-plane events with workload telemetry and approved change activity, rather than treating either source in isolation.

Likely telemetry

  • Cloud control-plane audit logs for remote administration command, run command, or runbook execution events
  • Identity and access logs showing the principal, role, session, and authorization path used for cloud administrative actions
  • Target virtual machine metadata, including instance identity, account/subscription/project context, and region where applicable
  • Virtual machine agent logs associated with cloud management command execution
  • Endpoint or workload process creation, script execution, and command-line telemetry from affected virtual machines, if collected

Detection direction

  • Validate that cloud administration command events are logged and retained with actor, target, time, and command/job metadata sufficient for investigation.
  • Correlate cloud control-plane command execution with in-guest workload telemetry to identify what actually ran after the cloud action was invoked.
  • Baseline expected administrative automation and scheduled runbook activity to reduce false positives from normal operations.
  • Alert on command execution by unusual principals, from unusual sessions, against sensitive or atypical virtual machines, or outside approved maintenance windows where local policy defines those conditions.
  • Watch for blind spots where cloud audit logging exists but VM agent logs, endpoint telemetry, or command output are not collected, making it difficult to confirm execution results.

Mitigation priorities

  • Restrict permissions that allow cloud administration command execution to the minimum required administrative roles and automation identities.
  • Review privileged cloud identities and service accounts that can invoke remote commands on virtual machines.
  • Require operational approval and change tracking for remote command and runbook activity where business processes support it.
  • Ensure cloud control-plane logging and workload telemetry are enabled and retained long enough to support SOC investigation and compliance evidence.
  • Segment duties between cloud administration, automation operation, and incident response review where feasible.
Analyst notes and limits

This take is based on the DET0545 detection strategy metadata and its relationship to T1651 Cloud Administration Command. The DET0545 object does not include official detection text, tactics, platforms, or a description. The practical guidance therefore relies on the supplied relationship context: execution through cloud management services in IaaS environments, including examples such as AWS Systems Manager, Azure RunCommand, and Runbooks.

No active exploitation, attribution, specific vendor detection coverage, or guaranteed analytic behavior is stated in the supplied ATT&CK fields. Local cloud architecture, enabled logging, IAM design, VM agent configuration, and change-management practices are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

Detection Strategy for Cloud Administration Command

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1651 Cloud Administration Command This object detects Cloud Administration Command.
Relationship explorer

All related ATT&CK context

detects · Technique T1651: Cloud Administration Command Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
63895c8363e8fa83...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 63895c8363e8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0545
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use